Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:24
Static task
static1
Behavioral task
behavioral1
Sample
2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe
Resource
win7-20220812-en
General
-
Target
2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe
-
Size
778KB
-
MD5
9ad01f5b8ca1d4f88f10b2dfc42cd8b8
-
SHA1
a12740157e8582973eeb1724834eaeb2f02d3528
-
SHA256
2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c
-
SHA512
91031f0694eca538f94c09256df877c67a94b34f4ac3c9c14b00a4ae1dc8414f03a72e9cdfb07c39e09d5a97d020e193412f084ad6f6830a3ef6ea7206f67fc9
-
SSDEEP
24576:h1OYdaOhwkBM0MlnPTdF7/c4TTLWEuhMD:h1OsrM1PrQiLDuiD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5016 cpfH7NcBMgWXVJu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json cpfH7NcBMgWXVJu.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json cpfH7NcBMgWXVJu.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json cpfH7NcBMgWXVJu.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json cpfH7NcBMgWXVJu.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json cpfH7NcBMgWXVJu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5040 wrote to memory of 5016 5040 2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe 82 PID 5040 wrote to memory of 5016 5040 2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe 82 PID 5040 wrote to memory of 5016 5040 2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe"C:\Users\Admin\AppData\Local\Temp\2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\7zS7525.tmp\cpfH7NcBMgWXVJu.exe.\cpfH7NcBMgWXVJu.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
PID:5016
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5fc6fdd935a9e497d7a14ed6051c6236c
SHA11b6fbd2643ae821aba3c18ae28ed4acffdf167ed
SHA25610a9fe92a4f5532732e157af27f5d3956b5d820b8d3b2ed899e49e230866c488
SHA512c5c7d8c840a4f0d86d0df28af0054a30ed567d9d5270946b607eaca90b846316daff46a3cb366ffd49798f7bdae109de12e35096b5096e0eac6896be0d9843a3
-
Filesize
138B
MD53026b0ad6d0afbb764a8a27343b3939f
SHA1b5d2d5e95c175ec0f99064f9fec624dfdea9e5af
SHA25678d4139b86a3b6d4120a2cc842b297836a7105e88e31c0024b70509d75a3e4fe
SHA5125f41b806a9609f10cb74843e37df8f83a0ce3a4486bc6e7a290565f4e4f0332255c535066a804ab3446c033e5675cc39ea12d075c52ad862f3f91d4bb7c79cbf
-
Filesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
Filesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
Filesize
602B
MD51c4ec8777b06b44ac733449636d41237
SHA114bf83feb6ee84cfcea24b85722024b7d12f6031
SHA256e4e7eb22bc46bd3ece4cd3cfd870a3e96bd58dc29ea8926f0fa6889bdd94245d
SHA512202f498effd0d182e33d0093cd425ccd03892c0e47e9f1c1d2665740530914aedac4c3f1b89b46f69dc830b4e075be0b5a51f775065e0c47214b0bccf6830efd
-
Filesize
1KB
MD5efa49fd114d4bf4a05d50f09d567680c
SHA16a49cde626462db1ec81aefc1077e1aa22f8047a
SHA256d2620184912c3d178287723f655cf6a09e452e849b4c107e74c5f7e6402a648d
SHA512319698931df5e954a9bbaefd24b1154410b58c89032550a7da54a473323c8c07ffc270660650f4dea2db7f22a142c92f08960da4ed495287eb83091168e35df8
-
Filesize
631KB
MD58580d9d21b9f472b70bbc3a91b2dfb3b
SHA1ec67fec4cecc50564c4c89db6c305b7c5dc8548e
SHA25681d9ccdaefd6600fd727ca34ec858a126539e9204c0f842696b186b51ebc8fb0
SHA5125af5106ebc64fc9df1d75b9f1045010ce60aaa706c5881bac28193dae5524ece55f81cba149076272a275535edab8f098920170f6a4554f92dd07b647f570948
-
Filesize
631KB
MD58580d9d21b9f472b70bbc3a91b2dfb3b
SHA1ec67fec4cecc50564c4c89db6c305b7c5dc8548e
SHA25681d9ccdaefd6600fd727ca34ec858a126539e9204c0f842696b186b51ebc8fb0
SHA5125af5106ebc64fc9df1d75b9f1045010ce60aaa706c5881bac28193dae5524ece55f81cba149076272a275535edab8f098920170f6a4554f92dd07b647f570948